<?xml version="1.0" encoding="ascii"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
          "DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
  <title>esapi.encoder</title>
  <link rel="stylesheet" href="epydoc.css" type="text/css" />
  <script type="text/javascript" src="epydoc.js"></script>
</head>

<body bgcolor="white" text="black" link="blue" vlink="#204080"
      alink="#204080">
<!-- ==================== NAVIGATION BAR ==================== -->
<table class="navbar" border="0" width="100%" cellpadding="0"
       bgcolor="#a0c0ff" cellspacing="0">
  <tr valign="middle">
  <!-- Home link -->
      <th>&nbsp;&nbsp;&nbsp;<a
        href="esapi-module.html">Home</a>&nbsp;&nbsp;&nbsp;</th>

  <!-- Tree link -->
      <th>&nbsp;&nbsp;&nbsp;<a
        href="module-tree.html">Trees</a>&nbsp;&nbsp;&nbsp;</th>

  <!-- Index link -->
      <th>&nbsp;&nbsp;&nbsp;<a
        href="identifier-index.html">Indices</a>&nbsp;&nbsp;&nbsp;</th>

  <!-- Help link -->
      <th>&nbsp;&nbsp;&nbsp;<a
        href="help.html">Help</a>&nbsp;&nbsp;&nbsp;</th>

      <th class="navbar" width="100%"></th>
  </tr>
</table>
<table width="100%" cellpadding="0" cellspacing="0">
  <tr valign="top">
    <td width="100%">
      <span class="breadcrumbs">
        <a href="esapi-module.html">Package&nbsp;esapi</a> ::
        Module&nbsp;encoder
      </span>
    </td>
    <td>
      <table cellpadding="0" cellspacing="0">
        <!-- hide/show private -->
        <tr><td align="right"><span class="options">[<a href="javascript:void(0);" class="privatelink"
    onclick="toggle_private();">hide&nbsp;private</a>]</span></td></tr>
        <tr><td align="right"><span class="options"
            >[<a href="frames.html" target="_top">frames</a
            >]&nbsp;|&nbsp;<a href="esapi.encoder-pysrc.html"
            target="_top">no&nbsp;frames</a>]</span></td></tr>
      </table>
    </td>
  </tr>
</table>
<h1 class="epydoc">Source Code for <a href="esapi.encoder-module.html">Module esapi.encoder</a></h1>
<pre class="py-src">
<a name="L1"></a><tt class="py-lineno">  1</tt>  <tt class="py-line"><tt class="py-comment">#!/usr/bin/python</tt> </tt>
<a name="L2"></a><tt class="py-lineno">  2</tt>  <tt class="py-line"><tt class="py-comment"># -*- coding: utf-8 -*-</tt> </tt>
<a name="L3"></a><tt class="py-lineno">  3</tt>  <tt class="py-line"> </tt>
<a name="L4"></a><tt class="py-lineno">  4</tt>  <tt class="py-line"><tt class="py-docstring">"""</tt> </tt>
<a name="L5"></a><tt class="py-lineno">  5</tt>  <tt class="py-line"><tt class="py-docstring">@license: OWASP Enterprise Security API (ESAPI)</tt> </tt>
<a name="L6"></a><tt class="py-lineno">  6</tt>  <tt class="py-line"><tt class="py-docstring">     </tt> </tt>
<a name="L7"></a><tt class="py-lineno">  7</tt>  <tt class="py-line"><tt class="py-docstring">    This file is part of the Open Web Application Security Project (OWASP)</tt> </tt>
<a name="L8"></a><tt class="py-lineno">  8</tt>  <tt class="py-line"><tt class="py-docstring">    Enterprise Security API (ESAPI) project. For details, please see</tt> </tt>
<a name="L9"></a><tt class="py-lineno">  9</tt>  <tt class="py-line"><tt class="py-docstring">    U{http://www.owasp.org/index.php/ESAPI&lt;http://www.owasp.org/index.php/ESAPI&gt;}.</tt> </tt>
<a name="L10"></a><tt class="py-lineno"> 10</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L11"></a><tt class="py-lineno"> 11</tt>  <tt class="py-line"><tt class="py-docstring">    The ESAPI is published by OWASP under the BSD license. You should read and </tt> </tt>
<a name="L12"></a><tt class="py-lineno"> 12</tt>  <tt class="py-line"><tt class="py-docstring">    accept the LICENSE before you use, modify, and/or redistribute this software.</tt> </tt>
<a name="L13"></a><tt class="py-lineno"> 13</tt>  <tt class="py-line"><tt class="py-docstring">    </tt> </tt>
<a name="L14"></a><tt class="py-lineno"> 14</tt>  <tt class="py-line"><tt class="py-docstring">@summary: The Encoder interface contains a number of methods for decoding </tt> </tt>
<a name="L15"></a><tt class="py-lineno"> 15</tt>  <tt class="py-line"><tt class="py-docstring">    input and encoding output so that it will be safe for a variety of </tt> </tt>
<a name="L16"></a><tt class="py-lineno"> 16</tt>  <tt class="py-line"><tt class="py-docstring">    interpreters.</tt> </tt>
<a name="L17"></a><tt class="py-lineno"> 17</tt>  <tt class="py-line"><tt class="py-docstring">@copyright: Copyright (c) 2009 - The OWASP Foundation</tt> </tt>
<a name="L18"></a><tt class="py-lineno"> 18</tt>  <tt class="py-line"><tt class="py-docstring">@author: Craig Younkins (craig.younkins@owasp.org)</tt> </tt>
<a name="L19"></a><tt class="py-lineno"> 19</tt>  <tt class="py-line"><tt class="py-docstring">"""</tt> </tt>
<a name="L20"></a><tt class="py-lineno"> 20</tt>  <tt class="py-line"> </tt>
<a name="Encoder"></a><div id="Encoder-def"><a name="L21"></a><tt class="py-lineno"> 21</tt> <a class="py-toggle" href="#" id="Encoder-toggle" onclick="return toggle('Encoder');">-</a><tt class="py-line"><tt class="py-keyword">class</tt> <a class="py-def-name" href="esapi.encoder.Encoder-class.html">Encoder</a><tt class="py-op">(</tt><tt class="py-op">)</tt><tt class="py-op">:</tt> </tt>
</div><div id="Encoder-collapsed" style="display:none;" pad="+++" indent="++++"></div><div id="Encoder-expanded"><a name="L22"></a><tt class="py-lineno"> 22</tt>  <tt class="py-line">    <tt class="py-docstring">"""</tt> </tt>
<a name="L23"></a><tt class="py-lineno"> 23</tt>  <tt class="py-line"><tt class="py-docstring">    The Encoder interface contains a number of methods for decoding input and encoding output</tt> </tt>
<a name="L24"></a><tt class="py-lineno"> 24</tt>  <tt class="py-line"><tt class="py-docstring">    so that it will be safe for a variety of interpreters. To prevent</tt> </tt>
<a name="L25"></a><tt class="py-lineno"> 25</tt>  <tt class="py-line"><tt class="py-docstring">    double-encoding, callers should make sure input does not already contain encoded characters</tt> </tt>
<a name="L26"></a><tt class="py-lineno"> 26</tt>  <tt class="py-line"><tt class="py-docstring">    by calling canonicalize. Validator implementations should call canonicalize on user input</tt> </tt>
<a name="L27"></a><tt class="py-lineno"> 27</tt>  <tt class="py-line"><tt class="py-docstring">    B{before} validating to prevent encoded attacks.</tt> </tt>
<a name="L28"></a><tt class="py-lineno"> 28</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L29"></a><tt class="py-lineno"> 29</tt>  <tt class="py-line"><tt class="py-docstring">    All of the methods must use a "whitelist" or "positive" security model.</tt> </tt>
<a name="L30"></a><tt class="py-lineno"> 30</tt>  <tt class="py-line"><tt class="py-docstring">    For the encoding methods, this means that all characters should be encoded, except for a specific list of</tt> </tt>
<a name="L31"></a><tt class="py-lineno"> 31</tt>  <tt class="py-line"><tt class="py-docstring">    "immune" characters that are known to be safe.</tt> </tt>
<a name="L32"></a><tt class="py-lineno"> 32</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L33"></a><tt class="py-lineno"> 33</tt>  <tt class="py-line"><tt class="py-docstring">    The Encoder performs two key functions, encoding and decoding. These functions rely</tt> </tt>
<a name="L34"></a><tt class="py-lineno"> 34</tt>  <tt class="py-line"><tt class="py-docstring">    on a set of codecs that can be found in the org.owasp.esapi.codecs package. These include:</tt> </tt>
<a name="L35"></a><tt class="py-lineno"> 35</tt>  <tt class="py-line"><tt class="py-docstring">        - CSS Escaping</tt> </tt>
<a name="L36"></a><tt class="py-lineno"> 36</tt>  <tt class="py-line"><tt class="py-docstring">        - HTMLEntity Encoding</tt> </tt>
<a name="L37"></a><tt class="py-lineno"> 37</tt>  <tt class="py-line"><tt class="py-docstring">        - JavaScript Escaping</tt> </tt>
<a name="L38"></a><tt class="py-lineno"> 38</tt>  <tt class="py-line"><tt class="py-docstring">        - MySQL Escaping</tt> </tt>
<a name="L39"></a><tt class="py-lineno"> 39</tt>  <tt class="py-line"><tt class="py-docstring">        - Oracle Escaping</tt> </tt>
<a name="L40"></a><tt class="py-lineno"> 40</tt>  <tt class="py-line"><tt class="py-docstring">        - Percent Encoding (aka URL Encoding)</tt> </tt>
<a name="L41"></a><tt class="py-lineno"> 41</tt>  <tt class="py-line"><tt class="py-docstring">        - Unix Escaping</tt> </tt>
<a name="L42"></a><tt class="py-lineno"> 42</tt>  <tt class="py-line"><tt class="py-docstring">        - VBScript Escaping</tt> </tt>
<a name="L43"></a><tt class="py-lineno"> 43</tt>  <tt class="py-line"><tt class="py-docstring">        - Windows Encoding</tt> </tt>
<a name="L44"></a><tt class="py-lineno"> 44</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L45"></a><tt class="py-lineno"> 45</tt>  <tt class="py-line"><tt class="py-docstring">    @author: Craig Younkins (craig.younkins@owasp.org)</tt> </tt>
<a name="L46"></a><tt class="py-lineno"> 46</tt>  <tt class="py-line"><tt class="py-docstring">    """</tt> </tt>
<a name="L47"></a><tt class="py-lineno"> 47</tt>  <tt class="py-line">     </tt>
<a name="L48"></a><tt class="py-lineno"> 48</tt>  <tt class="py-line">    <tt class="py-comment"># Standard character sets</tt> </tt>
<a name="L49"></a><tt class="py-lineno"> 49</tt>  <tt class="py-line">    <tt id="link-0" class="py-name" targets="Variable esapi.encoder.Encoder.CHAR_LOWERS=esapi.encoder.Encoder-class.html#CHAR_LOWERS"><a title="esapi.encoder.Encoder.CHAR_LOWERS" class="py-name" href="#" onclick="return doclink('link-0', 'CHAR_LOWERS', 'link-0');">CHAR_LOWERS</a></tt> <tt class="py-op">=</tt> <tt class="py-string">'abcdefghijklmnopqrstuvwxyz'</tt> </tt>
<a name="L50"></a><tt class="py-lineno"> 50</tt>  <tt class="py-line">    <tt id="link-1" class="py-name" targets="Variable esapi.encoder.Encoder.CHAR_UPPERS=esapi.encoder.Encoder-class.html#CHAR_UPPERS"><a title="esapi.encoder.Encoder.CHAR_UPPERS" class="py-name" href="#" onclick="return doclink('link-1', 'CHAR_UPPERS', 'link-1');">CHAR_UPPERS</a></tt> <tt class="py-op">=</tt> <tt class="py-string">'ABCDEFGHIJKLMNOPQRSTUVWXYZ'</tt> </tt>
<a name="L51"></a><tt class="py-lineno"> 51</tt>  <tt class="py-line">    <tt id="link-2" class="py-name" targets="Variable esapi.encoder.Encoder.CHAR_DIGITS=esapi.encoder.Encoder-class.html#CHAR_DIGITS"><a title="esapi.encoder.Encoder.CHAR_DIGITS" class="py-name" href="#" onclick="return doclink('link-2', 'CHAR_DIGITS', 'link-2');">CHAR_DIGITS</a></tt> <tt class="py-op">=</tt> <tt class="py-string">'0123456789'</tt> </tt>
<a name="L52"></a><tt class="py-lineno"> 52</tt>  <tt class="py-line">    <tt id="link-3" class="py-name" targets="Variable esapi.encoder.Encoder.CHAR_SPECIALS=esapi.encoder.Encoder-class.html#CHAR_SPECIALS"><a title="esapi.encoder.Encoder.CHAR_SPECIALS" class="py-name" href="#" onclick="return doclink('link-3', 'CHAR_SPECIALS', 'link-3');">CHAR_SPECIALS</a></tt> <tt class="py-op">=</tt> <tt class="py-string">'.-_!@$^*=~|+?'</tt> </tt>
<a name="L53"></a><tt class="py-lineno"> 53</tt>  <tt class="py-line">    <tt id="link-4" class="py-name" targets="Variable esapi.encoder.Encoder.CHAR_LETTERS=esapi.encoder.Encoder-class.html#CHAR_LETTERS"><a title="esapi.encoder.Encoder.CHAR_LETTERS" class="py-name" href="#" onclick="return doclink('link-4', 'CHAR_LETTERS', 'link-4');">CHAR_LETTERS</a></tt> <tt class="py-op">=</tt> <tt id="link-5" class="py-name"><a title="esapi.encoder.Encoder.CHAR_LOWERS" class="py-name" href="#" onclick="return doclink('link-5', 'CHAR_LOWERS', 'link-0');">CHAR_LOWERS</a></tt> <tt class="py-op">+</tt> <tt id="link-6" class="py-name"><a title="esapi.encoder.Encoder.CHAR_UPPERS" class="py-name" href="#" onclick="return doclink('link-6', 'CHAR_UPPERS', 'link-1');">CHAR_UPPERS</a></tt> </tt>
<a name="L54"></a><tt class="py-lineno"> 54</tt>  <tt class="py-line">    <tt id="link-7" class="py-name" targets="Variable esapi.encoder.Encoder.CHAR_ALPHANUMERICS=esapi.encoder.Encoder-class.html#CHAR_ALPHANUMERICS"><a title="esapi.encoder.Encoder.CHAR_ALPHANUMERICS" class="py-name" href="#" onclick="return doclink('link-7', 'CHAR_ALPHANUMERICS', 'link-7');">CHAR_ALPHANUMERICS</a></tt> <tt class="py-op">=</tt> <tt id="link-8" class="py-name"><a title="esapi.encoder.Encoder.CHAR_LETTERS" class="py-name" href="#" onclick="return doclink('link-8', 'CHAR_LETTERS', 'link-4');">CHAR_LETTERS</a></tt> <tt class="py-op">+</tt> <tt id="link-9" class="py-name"><a title="esapi.encoder.Encoder.CHAR_DIGITS" class="py-name" href="#" onclick="return doclink('link-9', 'CHAR_DIGITS', 'link-2');">CHAR_DIGITS</a></tt> </tt>
<a name="L55"></a><tt class="py-lineno"> 55</tt>  <tt class="py-line">    <tt id="link-10" class="py-name" targets="Variable esapi.encoder.Encoder.CHAR_LOWER_HEX=esapi.encoder.Encoder-class.html#CHAR_LOWER_HEX"><a title="esapi.encoder.Encoder.CHAR_LOWER_HEX" class="py-name" href="#" onclick="return doclink('link-10', 'CHAR_LOWER_HEX', 'link-10');">CHAR_LOWER_HEX</a></tt> <tt class="py-op">=</tt> <tt id="link-11" class="py-name"><a title="esapi.encoder.Encoder.CHAR_DIGITS" class="py-name" href="#" onclick="return doclink('link-11', 'CHAR_DIGITS', 'link-2');">CHAR_DIGITS</a></tt> <tt class="py-op">+</tt> <tt class="py-string">'abcdef'</tt> </tt>
<a name="L56"></a><tt class="py-lineno"> 56</tt>  <tt class="py-line">    <tt id="link-12" class="py-name" targets="Variable esapi.encoder.Encoder.CHAR_UPPER_HEX=esapi.encoder.Encoder-class.html#CHAR_UPPER_HEX"><a title="esapi.encoder.Encoder.CHAR_UPPER_HEX" class="py-name" href="#" onclick="return doclink('link-12', 'CHAR_UPPER_HEX', 'link-12');">CHAR_UPPER_HEX</a></tt> <tt class="py-op">=</tt> <tt id="link-13" class="py-name"><a title="esapi.encoder.Encoder.CHAR_DIGITS" class="py-name" href="#" onclick="return doclink('link-13', 'CHAR_DIGITS', 'link-2');">CHAR_DIGITS</a></tt> <tt class="py-op">+</tt> <tt class="py-string">'ABCDEF'</tt> </tt>
<a name="L57"></a><tt class="py-lineno"> 57</tt>  <tt class="py-line">     </tt>
<a name="L58"></a><tt class="py-lineno"> 58</tt>  <tt class="py-line">    <tt class="py-string">"""</tt> </tt>
<a name="L59"></a><tt class="py-lineno"> 59</tt>  <tt class="py-line"><tt class="py-string">    Password character set, is alphanumerics (without l, i, I, o, O, and 0)</tt> </tt>
<a name="L60"></a><tt class="py-lineno"> 60</tt>  <tt class="py-line"><tt class="py-string">    selected specials like + (bad for URL encoding, | is like i and 1,</tt> </tt>
<a name="L61"></a><tt class="py-lineno"> 61</tt>  <tt class="py-line"><tt class="py-string">    etc...)</tt> </tt>
<a name="L62"></a><tt class="py-lineno"> 62</tt>  <tt class="py-line"><tt class="py-string">    """</tt> </tt>
<a name="L63"></a><tt class="py-lineno"> 63</tt>  <tt class="py-line">    <tt id="link-14" class="py-name" targets="Variable esapi.encoder.Encoder.CHAR_PASSWORD_LOWERS=esapi.encoder.Encoder-class.html#CHAR_PASSWORD_LOWERS"><a title="esapi.encoder.Encoder.CHAR_PASSWORD_LOWERS" class="py-name" href="#" onclick="return doclink('link-14', 'CHAR_PASSWORD_LOWERS', 'link-14');">CHAR_PASSWORD_LOWERS</a></tt> <tt class="py-op">=</tt> <tt class="py-string">'abcdefghjkmnpqrstuvwxyz'</tt> </tt>
<a name="L64"></a><tt class="py-lineno"> 64</tt>  <tt class="py-line">    <tt id="link-15" class="py-name" targets="Variable esapi.encoder.Encoder.CHAR_PASSWORD_UPPERS=esapi.encoder.Encoder-class.html#CHAR_PASSWORD_UPPERS"><a title="esapi.encoder.Encoder.CHAR_PASSWORD_UPPERS" class="py-name" href="#" onclick="return doclink('link-15', 'CHAR_PASSWORD_UPPERS', 'link-15');">CHAR_PASSWORD_UPPERS</a></tt> <tt class="py-op">=</tt> <tt class="py-string">'ABCDEFGHJKLMNPQRSTUVWXYZ'</tt> </tt>
<a name="L65"></a><tt class="py-lineno"> 65</tt>  <tt class="py-line">    <tt id="link-16" class="py-name" targets="Variable esapi.encoder.Encoder.CHAR_PASSWORD_DIGITS=esapi.encoder.Encoder-class.html#CHAR_PASSWORD_DIGITS"><a title="esapi.encoder.Encoder.CHAR_PASSWORD_DIGITS" class="py-name" href="#" onclick="return doclink('link-16', 'CHAR_PASSWORD_DIGITS', 'link-16');">CHAR_PASSWORD_DIGITS</a></tt> <tt class="py-op">=</tt> <tt class="py-string">'23456789'</tt> </tt>
<a name="L66"></a><tt class="py-lineno"> 66</tt>  <tt class="py-line">    <tt id="link-17" class="py-name" targets="Variable esapi.encoder.Encoder.CHAR_PASSWORD_SPECIALS=esapi.encoder.Encoder-class.html#CHAR_PASSWORD_SPECIALS"><a title="esapi.encoder.Encoder.CHAR_PASSWORD_SPECIALS" class="py-name" href="#" onclick="return doclink('link-17', 'CHAR_PASSWORD_SPECIALS', 'link-17');">CHAR_PASSWORD_SPECIALS</a></tt> <tt class="py-op">=</tt> <tt class="py-string">'_.!@$*=-?'</tt> </tt>
<a name="L67"></a><tt class="py-lineno"> 67</tt>  <tt class="py-line">    <tt id="link-18" class="py-name" targets="Variable esapi.encoder.Encoder.CHAR_PASSWORD_LETTERS=esapi.encoder.Encoder-class.html#CHAR_PASSWORD_LETTERS"><a title="esapi.encoder.Encoder.CHAR_PASSWORD_LETTERS" class="py-name" href="#" onclick="return doclink('link-18', 'CHAR_PASSWORD_LETTERS', 'link-18');">CHAR_PASSWORD_LETTERS</a></tt> <tt class="py-op">=</tt> <tt id="link-19" class="py-name"><a title="esapi.encoder.Encoder.CHAR_PASSWORD_LOWERS" class="py-name" href="#" onclick="return doclink('link-19', 'CHAR_PASSWORD_LOWERS', 'link-14');">CHAR_PASSWORD_LOWERS</a></tt> <tt class="py-op">+</tt> <tt id="link-20" class="py-name"><a title="esapi.encoder.Encoder.CHAR_PASSWORD_UPPERS" class="py-name" href="#" onclick="return doclink('link-20', 'CHAR_PASSWORD_UPPERS', 'link-15');">CHAR_PASSWORD_UPPERS</a></tt> </tt>
<a name="L68"></a><tt class="py-lineno"> 68</tt>  <tt class="py-line">    <tt id="link-21" class="py-name" targets="Variable esapi.encoder.Encoder.CHAR_PASSWORD_ALL=esapi.encoder.Encoder-class.html#CHAR_PASSWORD_ALL"><a title="esapi.encoder.Encoder.CHAR_PASSWORD_ALL" class="py-name" href="#" onclick="return doclink('link-21', 'CHAR_PASSWORD_ALL', 'link-21');">CHAR_PASSWORD_ALL</a></tt> <tt class="py-op">=</tt> <tt id="link-22" class="py-name"><a title="esapi.encoder.Encoder.CHAR_PASSWORD_LETTERS" class="py-name" href="#" onclick="return doclink('link-22', 'CHAR_PASSWORD_LETTERS', 'link-18');">CHAR_PASSWORD_LETTERS</a></tt> <tt class="py-op">+</tt> <tt id="link-23" class="py-name"><a title="esapi.encoder.Encoder.CHAR_PASSWORD_DIGITS" class="py-name" href="#" onclick="return doclink('link-23', 'CHAR_PASSWORD_DIGITS', 'link-16');">CHAR_PASSWORD_DIGITS</a></tt> <tt class="py-op">+</tt> <tt id="link-24" class="py-name"><a title="esapi.encoder.Encoder.CHAR_PASSWORD_SPECIALS" class="py-name" href="#" onclick="return doclink('link-24', 'CHAR_PASSWORD_SPECIALS', 'link-17');">CHAR_PASSWORD_SPECIALS</a></tt> </tt>
<a name="L69"></a><tt class="py-lineno"> 69</tt>  <tt class="py-line">     </tt>
<a name="Encoder.__init__"></a><div id="Encoder.__init__-def"><a name="L70"></a><tt class="py-lineno"> 70</tt> <a class="py-toggle" href="#" id="Encoder.__init__-toggle" onclick="return toggle('Encoder.__init__');">-</a><tt class="py-line">    <tt class="py-keyword">def</tt> <a class="py-def-name" href="esapi.encoder.Encoder-class.html#__init__">__init__</a><tt class="py-op">(</tt><tt class="py-param">self</tt><tt class="py-op">)</tt><tt class="py-op">:</tt> </tt>
</div><div id="Encoder.__init__-collapsed" style="display:none;" pad="+++" indent="++++++++"></div><div id="Encoder.__init__-expanded"><a name="L71"></a><tt class="py-lineno"> 71</tt>  <tt class="py-line">        <tt class="py-keyword">pass</tt> </tt>
</div><a name="L72"></a><tt class="py-lineno"> 72</tt>  <tt class="py-line"> </tt>
<a name="Encoder.canonicalize"></a><div id="Encoder.canonicalize-def"><a name="L73"></a><tt class="py-lineno"> 73</tt> <a class="py-toggle" href="#" id="Encoder.canonicalize-toggle" onclick="return toggle('Encoder.canonicalize');">-</a><tt class="py-line">    <tt class="py-keyword">def</tt> <a class="py-def-name" href="esapi.encoder.Encoder-class.html#canonicalize">canonicalize</a><tt class="py-op">(</tt><tt class="py-param">self</tt><tt class="py-op">,</tt> <tt class="py-param">input_</tt><tt class="py-op">,</tt> <tt class="py-param">strict</tt><tt class="py-op">=</tt><tt class="py-name">True</tt><tt class="py-op">)</tt><tt class="py-op">:</tt> </tt>
</div><div id="Encoder.canonicalize-collapsed" style="display:none;" pad="+++" indent="++++++++"></div><div id="Encoder.canonicalize-expanded"><a name="L74"></a><tt class="py-lineno"> 74</tt>  <tt class="py-line">        <tt class="py-docstring">"""</tt> </tt>
<a name="L75"></a><tt class="py-lineno"> 75</tt>  <tt class="py-line"><tt class="py-docstring">        Canonicalization is simply the operation of reducing a possibly encoded</tt> </tt>
<a name="L76"></a><tt class="py-lineno"> 76</tt>  <tt class="py-line"><tt class="py-docstring">        string down to its simplest form. This is important, because attackers</tt> </tt>
<a name="L77"></a><tt class="py-lineno"> 77</tt>  <tt class="py-line"><tt class="py-docstring">        frequently use encoding to change their input in a way that will bypass</tt> </tt>
<a name="L78"></a><tt class="py-lineno"> 78</tt>  <tt class="py-line"><tt class="py-docstring">        validation filters, but still be interpreted properly by the target of</tt> </tt>
<a name="L79"></a><tt class="py-lineno"> 79</tt>  <tt class="py-line"><tt class="py-docstring">        the attack. Note that data encoded more than once is not something that a</tt> </tt>
<a name="L80"></a><tt class="py-lineno"> 80</tt>  <tt class="py-line"><tt class="py-docstring">        normal user would generate and should be regarded as an attack.</tt> </tt>
<a name="L81"></a><tt class="py-lineno"> 81</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L82"></a><tt class="py-lineno"> 82</tt>  <tt class="py-line"><tt class="py-docstring">        Everyone U{says&lt;http://cwe.mitre.org/data/definitions/180.html&gt;} you shouldn't do validation</tt> </tt>
<a name="L83"></a><tt class="py-lineno"> 83</tt>  <tt class="py-line"><tt class="py-docstring">        without canonicalizing the data first. This is easier said than done. The canonicalize method can</tt> </tt>
<a name="L84"></a><tt class="py-lineno"> 84</tt>  <tt class="py-line"><tt class="py-docstring">        be used to simplify just about any input down to its most basic form. Note that canonicalize doesn't</tt> </tt>
<a name="L85"></a><tt class="py-lineno"> 85</tt>  <tt class="py-line"><tt class="py-docstring">        handle Unicode issues, it focuses on higher level encoding and escaping schemes. In addition to simple</tt> </tt>
<a name="L86"></a><tt class="py-lineno"> 86</tt>  <tt class="py-line"><tt class="py-docstring">        decoding, canonicalize also handles:</tt> </tt>
<a name="L87"></a><tt class="py-lineno"> 87</tt>  <tt class="py-line"><tt class="py-docstring">            - Perverse but legal variants of escaping schemes</tt> </tt>
<a name="L88"></a><tt class="py-lineno"> 88</tt>  <tt class="py-line"><tt class="py-docstring">            - Multiple escaping (%2526 or &amp;#x26;lt;)</tt> </tt>
<a name="L89"></a><tt class="py-lineno"> 89</tt>  <tt class="py-line"><tt class="py-docstring">            - Mixed escaping (%26lt;)</tt> </tt>
<a name="L90"></a><tt class="py-lineno"> 90</tt>  <tt class="py-line"><tt class="py-docstring">            - Nested escaping (%%316 or &amp;%6ct;)</tt> </tt>
<a name="L91"></a><tt class="py-lineno"> 91</tt>  <tt class="py-line"><tt class="py-docstring">            - All combinations of multiple, mixed, and nested encoding/escaping (%2&amp;#x35;3c or &amp;#x2526gt;)</tt> </tt>
<a name="L92"></a><tt class="py-lineno"> 92</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L93"></a><tt class="py-lineno"> 93</tt>  <tt class="py-line"><tt class="py-docstring">        Using canonicalize is simple. The default is just...</tt> </tt>
<a name="L94"></a><tt class="py-lineno"> 94</tt>  <tt class="py-line"><tt class="py-docstring">            </tt> </tt>
<a name="L95"></a><tt class="py-lineno"> 95</tt>  <tt class="py-line"><tt class="py-docstring">            &gt;&gt;&gt; clean = ESAPI.encoder().canonicalize( request.getParameter("input"))</tt> </tt>
<a name="L96"></a><tt class="py-lineno"> 96</tt>  <tt class="py-line"><tt class="py-docstring">            </tt> </tt>
<a name="L97"></a><tt class="py-lineno"> 97</tt>  <tt class="py-line"><tt class="py-docstring">        You need to decode untrusted data so that it's safe for ANY downstream interpreter or decoder. For</tt> </tt>
<a name="L98"></a><tt class="py-lineno"> 98</tt>  <tt class="py-line"><tt class="py-docstring">        example, if your data goes into a Windows command shell, then into a database, and then to a browser,</tt> </tt>
<a name="L99"></a><tt class="py-lineno"> 99</tt>  <tt class="py-line"><tt class="py-docstring">        you're going to need to decode for all of those systems. You can build a custom encoder to canonicalize</tt> </tt>
<a name="L100"></a><tt class="py-lineno">100</tt>  <tt class="py-line"><tt class="py-docstring">        for your application like this...</tt> </tt>
<a name="L101"></a><tt class="py-lineno">101</tt>  <tt class="py-line"><tt class="py-docstring">       </tt> </tt>
<a name="L102"></a><tt class="py-lineno">102</tt>  <tt class="py-line"><tt class="py-docstring">            &gt;&gt;&gt; codeclist = [WindowsCodec(), MySQLCodec(), PercentCodec()]</tt> </tt>
<a name="L103"></a><tt class="py-lineno">103</tt>  <tt class="py-line"><tt class="py-docstring">            &gt;&gt;&gt; encoder = DefaultEncoder( codeclist )</tt> </tt>
<a name="L104"></a><tt class="py-lineno">104</tt>  <tt class="py-line"><tt class="py-docstring">            &gt;&gt;&gt; clean = encoder.canonicalize( request.getParameter( "input" ))</tt> </tt>
<a name="L105"></a><tt class="py-lineno">105</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L106"></a><tt class="py-lineno">106</tt>  <tt class="py-line"><tt class="py-docstring">        In ESAPI, the Validator uses the canonicalize method before it does validation.  So all you need to</tt> </tt>
<a name="L107"></a><tt class="py-lineno">107</tt>  <tt class="py-line"><tt class="py-docstring">        do is to validate as normal and you'll be protected against a host of encoded attacks.</tt> </tt>
<a name="L108"></a><tt class="py-lineno">108</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L109"></a><tt class="py-lineno">109</tt>  <tt class="py-line"><tt class="py-docstring">            &gt;&gt;&gt; input = request.getParameter( "name" )</tt> </tt>
<a name="L110"></a><tt class="py-lineno">110</tt>  <tt class="py-line"><tt class="py-docstring">            &gt;&gt;&gt; name = ESAPI.validator().is_valid_input( "test", input, "FirstName", 20, False)</tt> </tt>
<a name="L111"></a><tt class="py-lineno">111</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L112"></a><tt class="py-lineno">112</tt>  <tt class="py-line"><tt class="py-docstring">        However, the default canonicalize() method only decodes HTMLEntity, percent (URL) encoding, and JavaScript</tt> </tt>
<a name="L113"></a><tt class="py-lineno">113</tt>  <tt class="py-line"><tt class="py-docstring">        encoding. If you'd like to use a custom canonicalizer with your validator, that's pretty easy too.</tt> </tt>
<a name="L114"></a><tt class="py-lineno">114</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L115"></a><tt class="py-lineno">115</tt>  <tt class="py-line"><tt class="py-docstring">            &gt;&gt;&gt; #... setup custom encoder as above</tt> </tt>
<a name="L116"></a><tt class="py-lineno">116</tt>  <tt class="py-line"><tt class="py-docstring">            &gt;&gt;&gt; validator = DefaultValidator( encoder )</tt> </tt>
<a name="L117"></a><tt class="py-lineno">117</tt>  <tt class="py-line"><tt class="py-docstring">            &gt;&gt;&gt; input = request.getParameter( "name" )</tt> </tt>
<a name="L118"></a><tt class="py-lineno">118</tt>  <tt class="py-line"><tt class="py-docstring">            &gt;&gt;&gt; name = validator.is_valid_input( "test", input, "name", 20, False)</tt> </tt>
<a name="L119"></a><tt class="py-lineno">119</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L120"></a><tt class="py-lineno">120</tt>  <tt class="py-line"><tt class="py-docstring">        Although ESAPI is able to canonicalize multiple, mixed, or nested encoding, it's safer to not accept</tt> </tt>
<a name="L121"></a><tt class="py-lineno">121</tt>  <tt class="py-line"><tt class="py-docstring">        this stuff in the first place. In ESAPI, the default is "strict" mode that throws an IntrusionException</tt> </tt>
<a name="L122"></a><tt class="py-lineno">122</tt>  <tt class="py-line"><tt class="py-docstring">        if it receives anything not single-encoded with a single scheme.  Currently this is not configurable</tt> </tt>
<a name="L123"></a><tt class="py-lineno">123</tt>  <tt class="py-line"><tt class="py-docstring">        in ESAPI.properties, but it probably should be.  Even if you disable "strict" mode, you'll still get</tt> </tt>
<a name="L124"></a><tt class="py-lineno">124</tt>  <tt class="py-line"><tt class="py-docstring">        warning messages in the log about each multiple encoding and mixed encoding received.</tt> </tt>
<a name="L125"></a><tt class="py-lineno">125</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L126"></a><tt class="py-lineno">126</tt>  <tt class="py-line"><tt class="py-docstring">            &gt;&gt;&gt; # disabling strict mode to allow mixed encoding</tt> </tt>
<a name="L127"></a><tt class="py-lineno">127</tt>  <tt class="py-line"><tt class="py-docstring">            &gt;&gt;&gt; url = ESAPI.encoder().canonicalize( request.getParameter("url"), False)</tt> </tt>
<a name="L128"></a><tt class="py-lineno">128</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L129"></a><tt class="py-lineno">129</tt>  <tt class="py-line"><tt class="py-docstring">        @see: U{W3C specifications&lt;http://www.w3.org/TR/html4/interact/forms.html#h-17.13.4&gt;}</tt> </tt>
<a name="L130"></a><tt class="py-lineno">130</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L131"></a><tt class="py-lineno">131</tt>  <tt class="py-line"><tt class="py-docstring">        @param input_: the text to canonicalize</tt> </tt>
<a name="L132"></a><tt class="py-lineno">132</tt>  <tt class="py-line"><tt class="py-docstring">        @param strict: true (default) if checking for double encoding is </tt> </tt>
<a name="L133"></a><tt class="py-lineno">133</tt>  <tt class="py-line"><tt class="py-docstring">            desired, false otherwise</tt> </tt>
<a name="L134"></a><tt class="py-lineno">134</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L135"></a><tt class="py-lineno">135</tt>  <tt class="py-line"><tt class="py-docstring">        @return: a string containing the canonicalized text</tt> </tt>
<a name="L136"></a><tt class="py-lineno">136</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L137"></a><tt class="py-lineno">137</tt>  <tt class="py-line"><tt class="py-docstring">        @raises EncodingException: if canonicalization fails</tt> </tt>
<a name="L138"></a><tt class="py-lineno">138</tt>  <tt class="py-line"><tt class="py-docstring">        """</tt> </tt>
<a name="L139"></a><tt class="py-lineno">139</tt>  <tt class="py-line">        <tt class="py-keyword">raise</tt> <tt class="py-name">NotImplementedError</tt><tt class="py-op">(</tt><tt class="py-op">)</tt> </tt>
</div><a name="L140"></a><tt class="py-lineno">140</tt>  <tt class="py-line"> </tt>
<a name="Encoder.encode_for_css"></a><div id="Encoder.encode_for_css-def"><a name="L141"></a><tt class="py-lineno">141</tt> <a class="py-toggle" href="#" id="Encoder.encode_for_css-toggle" onclick="return toggle('Encoder.encode_for_css');">-</a><tt class="py-line">    <tt class="py-keyword">def</tt> <a class="py-def-name" href="esapi.encoder.Encoder-class.html#encode_for_css">encode_for_css</a><tt class="py-op">(</tt><tt class="py-param">self</tt><tt class="py-op">,</tt> <tt class="py-param">input_</tt><tt class="py-op">)</tt><tt class="py-op">:</tt> </tt>
</div><div id="Encoder.encode_for_css-collapsed" style="display:none;" pad="+++" indent="++++++++"></div><div id="Encoder.encode_for_css-expanded"><a name="L142"></a><tt class="py-lineno">142</tt>  <tt class="py-line">        <tt class="py-docstring">"""</tt> </tt>
<a name="L143"></a><tt class="py-lineno">143</tt>  <tt class="py-line"><tt class="py-docstring">        Encode data for use in Cascading Style Sheets (CSS) content.</tt> </tt>
<a name="L144"></a><tt class="py-lineno">144</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L145"></a><tt class="py-lineno">145</tt>  <tt class="py-line"><tt class="py-docstring">        @see: U{CSS Syntax [w3.org]&lt;http://www.w3.org/TR/CSS21/syndata.html#escaped-characters&gt;}</tt> </tt>
<a name="L146"></a><tt class="py-lineno">146</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L147"></a><tt class="py-lineno">147</tt>  <tt class="py-line"><tt class="py-docstring">        @param input_: the text to encode for CSS</tt> </tt>
<a name="L148"></a><tt class="py-lineno">148</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L149"></a><tt class="py-lineno">149</tt>  <tt class="py-line"><tt class="py-docstring">        @return: input encoded for CSS</tt> </tt>
<a name="L150"></a><tt class="py-lineno">150</tt>  <tt class="py-line"><tt class="py-docstring">        """</tt> </tt>
<a name="L151"></a><tt class="py-lineno">151</tt>  <tt class="py-line">        <tt class="py-keyword">raise</tt> <tt class="py-name">NotImplementedError</tt><tt class="py-op">(</tt><tt class="py-op">)</tt> </tt>
</div><a name="L152"></a><tt class="py-lineno">152</tt>  <tt class="py-line"> </tt>
<a name="Encoder.encode_for_html"></a><div id="Encoder.encode_for_html-def"><a name="L153"></a><tt class="py-lineno">153</tt> <a class="py-toggle" href="#" id="Encoder.encode_for_html-toggle" onclick="return toggle('Encoder.encode_for_html');">-</a><tt class="py-line">    <tt class="py-keyword">def</tt> <a class="py-def-name" href="esapi.encoder.Encoder-class.html#encode_for_html">encode_for_html</a><tt class="py-op">(</tt><tt class="py-param">self</tt><tt class="py-op">,</tt> <tt class="py-param">input_</tt><tt class="py-op">)</tt><tt class="py-op">:</tt> </tt>
</div><div id="Encoder.encode_for_html-collapsed" style="display:none;" pad="+++" indent="++++++++"></div><div id="Encoder.encode_for_html-expanded"><a name="L154"></a><tt class="py-lineno">154</tt>  <tt class="py-line">        <tt class="py-docstring">"""</tt> </tt>
<a name="L155"></a><tt class="py-lineno">155</tt>  <tt class="py-line"><tt class="py-docstring">        Encode data for use in HTML using HTML entity encoding</tt> </tt>
<a name="L156"></a><tt class="py-lineno">156</tt>  <tt class="py-line"><tt class="py-docstring">        </tt> </tt>
<a name="L157"></a><tt class="py-lineno">157</tt>  <tt class="py-line"><tt class="py-docstring">        Note that the following characters:</tt> </tt>
<a name="L158"></a><tt class="py-lineno">158</tt>  <tt class="py-line"><tt class="py-docstring">        00-08, 0B-0C, 0E-1F, and 7F-9F</tt> </tt>
<a name="L159"></a><tt class="py-lineno">159</tt>  <tt class="py-line"><tt class="py-docstring">        cannot be used in HTML.</tt> </tt>
<a name="L160"></a><tt class="py-lineno">160</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L161"></a><tt class="py-lineno">161</tt>  <tt class="py-line"><tt class="py-docstring">        @see: U{HTML Encodings [wikipedia.org]&lt;http://en.wikipedia.org/wiki/Character_encodings_in_HTML&gt;}</tt> </tt>
<a name="L162"></a><tt class="py-lineno">162</tt>  <tt class="py-line"><tt class="py-docstring">        @see: U{SGML Specification [w3.org]&lt;http://www.w3.org/TR/html4/sgml/sgmldecl.html&gt;}</tt> </tt>
<a name="L163"></a><tt class="py-lineno">163</tt>  <tt class="py-line"><tt class="py-docstring">        @see: U{XML Specification [w3.org]&lt;http://www.w3.org/TR/REC-xml/#charsets&gt;}</tt> </tt>
<a name="L164"></a><tt class="py-lineno">164</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L165"></a><tt class="py-lineno">165</tt>  <tt class="py-line"><tt class="py-docstring">        @param input_: the text to encode for HTML</tt> </tt>
<a name="L166"></a><tt class="py-lineno">166</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L167"></a><tt class="py-lineno">167</tt>  <tt class="py-line"><tt class="py-docstring">        @return: input encoded for HTML</tt> </tt>
<a name="L168"></a><tt class="py-lineno">168</tt>  <tt class="py-line"><tt class="py-docstring">        """</tt> </tt>
<a name="L169"></a><tt class="py-lineno">169</tt>  <tt class="py-line">        <tt class="py-keyword">raise</tt> <tt class="py-name">NotImplementedError</tt><tt class="py-op">(</tt><tt class="py-op">)</tt> </tt>
</div><a name="L170"></a><tt class="py-lineno">170</tt>  <tt class="py-line"> </tt>
<a name="Encoder.encode_for_html_attribute"></a><div id="Encoder.encode_for_html_attribute-def"><a name="L171"></a><tt class="py-lineno">171</tt> <a class="py-toggle" href="#" id="Encoder.encode_for_html_attribute-toggle" onclick="return toggle('Encoder.encode_for_html_attribute');">-</a><tt class="py-line">    <tt class="py-keyword">def</tt> <a class="py-def-name" href="esapi.encoder.Encoder-class.html#encode_for_html_attribute">encode_for_html_attribute</a><tt class="py-op">(</tt><tt class="py-param">self</tt><tt class="py-op">,</tt> <tt class="py-param">input_</tt><tt class="py-op">)</tt><tt class="py-op">:</tt> </tt>
</div><div id="Encoder.encode_for_html_attribute-collapsed" style="display:none;" pad="+++" indent="++++++++"></div><div id="Encoder.encode_for_html_attribute-expanded"><a name="L172"></a><tt class="py-lineno">172</tt>  <tt class="py-line">        <tt class="py-docstring">"""</tt> </tt>
<a name="L173"></a><tt class="py-lineno">173</tt>  <tt class="py-line"><tt class="py-docstring">        Encode data for use in HTML attributes.</tt> </tt>
<a name="L174"></a><tt class="py-lineno">174</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L175"></a><tt class="py-lineno">175</tt>  <tt class="py-line"><tt class="py-docstring">        @param input_: the text to encode for an HTML attribute</tt> </tt>
<a name="L176"></a><tt class="py-lineno">176</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L177"></a><tt class="py-lineno">177</tt>  <tt class="py-line"><tt class="py-docstring">        @return: input encoded for use as an HTML attribute</tt> </tt>
<a name="L178"></a><tt class="py-lineno">178</tt>  <tt class="py-line"><tt class="py-docstring">        """</tt> </tt>
<a name="L179"></a><tt class="py-lineno">179</tt>  <tt class="py-line">        <tt class="py-keyword">raise</tt> <tt class="py-name">NotImplementedError</tt><tt class="py-op">(</tt><tt class="py-op">)</tt> </tt>
</div><a name="L180"></a><tt class="py-lineno">180</tt>  <tt class="py-line"> </tt>
<a name="Encoder.encode_for_javascript"></a><div id="Encoder.encode_for_javascript-def"><a name="L181"></a><tt class="py-lineno">181</tt> <a class="py-toggle" href="#" id="Encoder.encode_for_javascript-toggle" onclick="return toggle('Encoder.encode_for_javascript');">-</a><tt class="py-line">    <tt class="py-keyword">def</tt> <a class="py-def-name" href="esapi.encoder.Encoder-class.html#encode_for_javascript">encode_for_javascript</a><tt class="py-op">(</tt><tt class="py-param">self</tt><tt class="py-op">,</tt> <tt class="py-param">input_</tt><tt class="py-op">)</tt><tt class="py-op">:</tt> </tt>
</div><div id="Encoder.encode_for_javascript-collapsed" style="display:none;" pad="+++" indent="++++++++"></div><div id="Encoder.encode_for_javascript-expanded"><a name="L182"></a><tt class="py-lineno">182</tt>  <tt class="py-line">        <tt class="py-docstring">"""</tt> </tt>
<a name="L183"></a><tt class="py-lineno">183</tt>  <tt class="py-line"><tt class="py-docstring">        Encode data for insertion inside a data value in JavaScript. Putting user data directly</tt> </tt>
<a name="L184"></a><tt class="py-lineno">184</tt>  <tt class="py-line"><tt class="py-docstring">        inside a script is quite dangerous. Great care must be taken to prevent putting user data</tt> </tt>
<a name="L185"></a><tt class="py-lineno">185</tt>  <tt class="py-line"><tt class="py-docstring">        directly into script code itself, as no amount of encoding will prevent attacks there.</tt> </tt>
<a name="L186"></a><tt class="py-lineno">186</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L187"></a><tt class="py-lineno">187</tt>  <tt class="py-line"><tt class="py-docstring">        @param input_: the text to encode for JavaScript</tt> </tt>
<a name="L188"></a><tt class="py-lineno">188</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L189"></a><tt class="py-lineno">189</tt>  <tt class="py-line"><tt class="py-docstring">        @return: input encoded for use in JavaScript</tt> </tt>
<a name="L190"></a><tt class="py-lineno">190</tt>  <tt class="py-line"><tt class="py-docstring">        """</tt> </tt>
<a name="L191"></a><tt class="py-lineno">191</tt>  <tt class="py-line">        <tt class="py-keyword">raise</tt> <tt class="py-name">NotImplementedError</tt><tt class="py-op">(</tt><tt class="py-op">)</tt> </tt>
</div><a name="L192"></a><tt class="py-lineno">192</tt>  <tt class="py-line"> </tt>
<a name="Encoder.encode_for_vbscript"></a><div id="Encoder.encode_for_vbscript-def"><a name="L193"></a><tt class="py-lineno">193</tt> <a class="py-toggle" href="#" id="Encoder.encode_for_vbscript-toggle" onclick="return toggle('Encoder.encode_for_vbscript');">-</a><tt class="py-line">    <tt class="py-keyword">def</tt> <a class="py-def-name" href="esapi.encoder.Encoder-class.html#encode_for_vbscript">encode_for_vbscript</a><tt class="py-op">(</tt><tt class="py-param">self</tt><tt class="py-op">,</tt> <tt class="py-param">input_</tt><tt class="py-op">)</tt><tt class="py-op">:</tt> </tt>
</div><div id="Encoder.encode_for_vbscript-collapsed" style="display:none;" pad="+++" indent="++++++++"></div><div id="Encoder.encode_for_vbscript-expanded"><a name="L194"></a><tt class="py-lineno">194</tt>  <tt class="py-line">        <tt class="py-docstring">"""</tt> </tt>
<a name="L195"></a><tt class="py-lineno">195</tt>  <tt class="py-line"><tt class="py-docstring">        Encode data for insertion inside a data value in a Visual Basic script. Putting user data directly</tt> </tt>
<a name="L196"></a><tt class="py-lineno">196</tt>  <tt class="py-line"><tt class="py-docstring">        inside a script is quite dangerous. Great care must be taken to prevent putting user data</tt> </tt>
<a name="L197"></a><tt class="py-lineno">197</tt>  <tt class="py-line"><tt class="py-docstring">        directly into script code itself, as no amount of encoding will prevent attacks there.</tt> </tt>
<a name="L198"></a><tt class="py-lineno">198</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L199"></a><tt class="py-lineno">199</tt>  <tt class="py-line"><tt class="py-docstring">        This method is not recommended as VBScript is only supported by Internet Explorer</tt> </tt>
<a name="L200"></a><tt class="py-lineno">200</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L201"></a><tt class="py-lineno">201</tt>  <tt class="py-line"><tt class="py-docstring">        @param input_: the text to encode for VBScript</tt> </tt>
<a name="L202"></a><tt class="py-lineno">202</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L203"></a><tt class="py-lineno">203</tt>  <tt class="py-line"><tt class="py-docstring">        @return: input encoded for use in VBScript</tt> </tt>
<a name="L204"></a><tt class="py-lineno">204</tt>  <tt class="py-line"><tt class="py-docstring">        """</tt> </tt>
<a name="L205"></a><tt class="py-lineno">205</tt>  <tt class="py-line">        <tt class="py-keyword">raise</tt> <tt class="py-name">NotImplementedError</tt><tt class="py-op">(</tt><tt class="py-op">)</tt> </tt>
</div><a name="L206"></a><tt class="py-lineno">206</tt>  <tt class="py-line"> </tt>
<a name="Encoder.encode_for_sql"></a><div id="Encoder.encode_for_sql-def"><a name="L207"></a><tt class="py-lineno">207</tt> <a class="py-toggle" href="#" id="Encoder.encode_for_sql-toggle" onclick="return toggle('Encoder.encode_for_sql');">-</a><tt class="py-line">    <tt class="py-keyword">def</tt> <a class="py-def-name" href="esapi.encoder.Encoder-class.html#encode_for_sql">encode_for_sql</a><tt class="py-op">(</tt><tt class="py-param">self</tt><tt class="py-op">,</tt> <tt class="py-param">codec</tt><tt class="py-op">,</tt> <tt class="py-param">input_</tt><tt class="py-op">)</tt><tt class="py-op">:</tt> </tt>
</div><div id="Encoder.encode_for_sql-collapsed" style="display:none;" pad="+++" indent="++++++++"></div><div id="Encoder.encode_for_sql-expanded"><a name="L208"></a><tt class="py-lineno">208</tt>  <tt class="py-line">        <tt class="py-docstring">"""</tt> </tt>
<a name="L209"></a><tt class="py-lineno">209</tt>  <tt class="py-line"><tt class="py-docstring">        Encode input for use in a SQL query, according to the selected codec</tt> </tt>
<a name="L210"></a><tt class="py-lineno">210</tt>  <tt class="py-line"><tt class="py-docstring">        (appropriate codecs include the MySQLCodec and OracleCodec).</tt> </tt>
<a name="L211"></a><tt class="py-lineno">211</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L212"></a><tt class="py-lineno">212</tt>  <tt class="py-line"><tt class="py-docstring">        This method is not recommended. The use of the PreparedStatement</tt> </tt>
<a name="L213"></a><tt class="py-lineno">213</tt>  <tt class="py-line"><tt class="py-docstring">        interface is the preferred approach. However, if for some reason</tt> </tt>
<a name="L214"></a><tt class="py-lineno">214</tt>  <tt class="py-line"><tt class="py-docstring">        this is impossible, then this method is provided as a weaker</tt> </tt>
<a name="L215"></a><tt class="py-lineno">215</tt>  <tt class="py-line"><tt class="py-docstring">        alternative.</tt> </tt>
<a name="L216"></a><tt class="py-lineno">216</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L217"></a><tt class="py-lineno">217</tt>  <tt class="py-line"><tt class="py-docstring">        The best approach is to make sure any single-quotes are double-quoted.</tt> </tt>
<a name="L218"></a><tt class="py-lineno">218</tt>  <tt class="py-line"><tt class="py-docstring">        Another possible approach is to use the {escape} syntax described in the</tt> </tt>
<a name="L219"></a><tt class="py-lineno">219</tt>  <tt class="py-line"><tt class="py-docstring">        JDBC specification in section 1.5.6.</tt> </tt>
<a name="L220"></a><tt class="py-lineno">220</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L221"></a><tt class="py-lineno">221</tt>  <tt class="py-line"><tt class="py-docstring">        However, this syntax does not work with all drivers, and requires</tt> </tt>
<a name="L222"></a><tt class="py-lineno">222</tt>  <tt class="py-line"><tt class="py-docstring">        modification of all queries.</tt> </tt>
<a name="L223"></a><tt class="py-lineno">223</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L224"></a><tt class="py-lineno">224</tt>  <tt class="py-line"><tt class="py-docstring">        @see: U{JDBC Specification&lt;http://java.sun.com/j2se/1.4.2/docs/guide/jdbc/getstart/statement.html&gt;}</tt> </tt>
<a name="L225"></a><tt class="py-lineno">225</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L226"></a><tt class="py-lineno">226</tt>  <tt class="py-line"><tt class="py-docstring">        @param codec: a Codec that declares which database 'input' is being encoded for (ie. MySQL, Oracle, etc.)</tt> </tt>
<a name="L227"></a><tt class="py-lineno">227</tt>  <tt class="py-line"><tt class="py-docstring">        @param input_: the text to encode for SQL</tt> </tt>
<a name="L228"></a><tt class="py-lineno">228</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L229"></a><tt class="py-lineno">229</tt>  <tt class="py-line"><tt class="py-docstring">        @return: input encoded for use in SQL</tt> </tt>
<a name="L230"></a><tt class="py-lineno">230</tt>  <tt class="py-line"><tt class="py-docstring">        """</tt> </tt>
<a name="L231"></a><tt class="py-lineno">231</tt>  <tt class="py-line">        <tt class="py-keyword">raise</tt> <tt class="py-name">NotImplementedError</tt><tt class="py-op">(</tt><tt class="py-op">)</tt> </tt>
</div><a name="L232"></a><tt class="py-lineno">232</tt>  <tt class="py-line"> </tt>
<a name="Encoder.encode_for_os"></a><div id="Encoder.encode_for_os-def"><a name="L233"></a><tt class="py-lineno">233</tt> <a class="py-toggle" href="#" id="Encoder.encode_for_os-toggle" onclick="return toggle('Encoder.encode_for_os');">-</a><tt class="py-line">    <tt class="py-keyword">def</tt> <a class="py-def-name" href="esapi.encoder.Encoder-class.html#encode_for_os">encode_for_os</a><tt class="py-op">(</tt><tt class="py-param">self</tt><tt class="py-op">,</tt> <tt class="py-param">codec</tt><tt class="py-op">,</tt> <tt class="py-param">input_</tt><tt class="py-op">)</tt><tt class="py-op">:</tt> </tt>
</div><div id="Encoder.encode_for_os-collapsed" style="display:none;" pad="+++" indent="++++++++"></div><div id="Encoder.encode_for_os-expanded"><a name="L234"></a><tt class="py-lineno">234</tt>  <tt class="py-line">        <tt class="py-docstring">"""</tt> </tt>
<a name="L235"></a><tt class="py-lineno">235</tt>  <tt class="py-line"><tt class="py-docstring">        Encode for an operating system command shell according to the selected codec (appropriate codecs include</tt> </tt>
<a name="L236"></a><tt class="py-lineno">236</tt>  <tt class="py-line"><tt class="py-docstring">        the WindowsCodec and UnixCodec).</tt> </tt>
<a name="L237"></a><tt class="py-lineno">237</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L238"></a><tt class="py-lineno">238</tt>  <tt class="py-line"><tt class="py-docstring">        @param codec: a Codec that declares which operating system 'input' is being encoded for (ie. Windows, Unix, etc.)</tt> </tt>
<a name="L239"></a><tt class="py-lineno">239</tt>  <tt class="py-line"><tt class="py-docstring">        @param input_: the text to encode for the command shell</tt> </tt>
<a name="L240"></a><tt class="py-lineno">240</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L241"></a><tt class="py-lineno">241</tt>  <tt class="py-line"><tt class="py-docstring">        @return: input encoded for use in command shell</tt> </tt>
<a name="L242"></a><tt class="py-lineno">242</tt>  <tt class="py-line"><tt class="py-docstring">        """</tt> </tt>
<a name="L243"></a><tt class="py-lineno">243</tt>  <tt class="py-line">        <tt class="py-keyword">raise</tt> <tt class="py-name">NotImplementedError</tt><tt class="py-op">(</tt><tt class="py-op">)</tt> </tt>
</div><a name="L244"></a><tt class="py-lineno">244</tt>  <tt class="py-line"> </tt>
<a name="Encoder.encode_for_ldap"></a><div id="Encoder.encode_for_ldap-def"><a name="L245"></a><tt class="py-lineno">245</tt> <a class="py-toggle" href="#" id="Encoder.encode_for_ldap-toggle" onclick="return toggle('Encoder.encode_for_ldap');">-</a><tt class="py-line">    <tt class="py-keyword">def</tt> <a class="py-def-name" href="esapi.encoder.Encoder-class.html#encode_for_ldap">encode_for_ldap</a><tt class="py-op">(</tt><tt class="py-param">self</tt><tt class="py-op">,</tt> <tt class="py-param">input_</tt><tt class="py-op">)</tt><tt class="py-op">:</tt> </tt>
</div><div id="Encoder.encode_for_ldap-collapsed" style="display:none;" pad="+++" indent="++++++++"></div><div id="Encoder.encode_for_ldap-expanded"><a name="L246"></a><tt class="py-lineno">246</tt>  <tt class="py-line">        <tt class="py-docstring">"""</tt> </tt>
<a name="L247"></a><tt class="py-lineno">247</tt>  <tt class="py-line"><tt class="py-docstring">        Encode data for use in LDAP queries.</tt> </tt>
<a name="L248"></a><tt class="py-lineno">248</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L249"></a><tt class="py-lineno">249</tt>  <tt class="py-line"><tt class="py-docstring">        @param input_: the text to encode for LDAP</tt> </tt>
<a name="L250"></a><tt class="py-lineno">250</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L251"></a><tt class="py-lineno">251</tt>  <tt class="py-line"><tt class="py-docstring">        @return: input encoded for use in LDAP</tt> </tt>
<a name="L252"></a><tt class="py-lineno">252</tt>  <tt class="py-line"><tt class="py-docstring">        """</tt> </tt>
<a name="L253"></a><tt class="py-lineno">253</tt>  <tt class="py-line">        <tt class="py-keyword">raise</tt> <tt class="py-name">NotImplementedError</tt><tt class="py-op">(</tt><tt class="py-op">)</tt> </tt>
</div><a name="L254"></a><tt class="py-lineno">254</tt>  <tt class="py-line"> </tt>
<a name="Encoder.encode_for_dn"></a><div id="Encoder.encode_for_dn-def"><a name="L255"></a><tt class="py-lineno">255</tt> <a class="py-toggle" href="#" id="Encoder.encode_for_dn-toggle" onclick="return toggle('Encoder.encode_for_dn');">-</a><tt class="py-line">    <tt class="py-keyword">def</tt> <a class="py-def-name" href="esapi.encoder.Encoder-class.html#encode_for_dn">encode_for_dn</a><tt class="py-op">(</tt><tt class="py-param">self</tt><tt class="py-op">,</tt> <tt class="py-param">input_</tt><tt class="py-op">)</tt><tt class="py-op">:</tt> </tt>
</div><div id="Encoder.encode_for_dn-collapsed" style="display:none;" pad="+++" indent="++++++++"></div><div id="Encoder.encode_for_dn-expanded"><a name="L256"></a><tt class="py-lineno">256</tt>  <tt class="py-line">        <tt class="py-docstring">"""</tt> </tt>
<a name="L257"></a><tt class="py-lineno">257</tt>  <tt class="py-line"><tt class="py-docstring">        Encode data for use in an LDAP distinguished name.</tt> </tt>
<a name="L258"></a><tt class="py-lineno">258</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L259"></a><tt class="py-lineno">259</tt>  <tt class="py-line"><tt class="py-docstring">        @param input_: the text to encode for an LDAP distinguished name</tt> </tt>
<a name="L260"></a><tt class="py-lineno">260</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L261"></a><tt class="py-lineno">261</tt>  <tt class="py-line"><tt class="py-docstring">        @return: input encoded for use in an LDAP distinguished name</tt> </tt>
<a name="L262"></a><tt class="py-lineno">262</tt>  <tt class="py-line"><tt class="py-docstring">        """</tt> </tt>
<a name="L263"></a><tt class="py-lineno">263</tt>  <tt class="py-line">        <tt class="py-keyword">raise</tt> <tt class="py-name">NotImplementedError</tt><tt class="py-op">(</tt><tt class="py-op">)</tt> </tt>
</div><a name="L264"></a><tt class="py-lineno">264</tt>  <tt class="py-line"> </tt>
<a name="Encoder.encode_for_xpath"></a><div id="Encoder.encode_for_xpath-def"><a name="L265"></a><tt class="py-lineno">265</tt> <a class="py-toggle" href="#" id="Encoder.encode_for_xpath-toggle" onclick="return toggle('Encoder.encode_for_xpath');">-</a><tt class="py-line">    <tt class="py-keyword">def</tt> <a class="py-def-name" href="esapi.encoder.Encoder-class.html#encode_for_xpath">encode_for_xpath</a><tt class="py-op">(</tt><tt class="py-param">self</tt><tt class="py-op">,</tt> <tt class="py-param">input_</tt><tt class="py-op">)</tt><tt class="py-op">:</tt> </tt>
</div><div id="Encoder.encode_for_xpath-collapsed" style="display:none;" pad="+++" indent="++++++++"></div><div id="Encoder.encode_for_xpath-expanded"><a name="L266"></a><tt class="py-lineno">266</tt>  <tt class="py-line">        <tt class="py-docstring">"""</tt> </tt>
<a name="L267"></a><tt class="py-lineno">267</tt>  <tt class="py-line"><tt class="py-docstring">        Encode data for use in an XPath query.</tt> </tt>
<a name="L268"></a><tt class="py-lineno">268</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L269"></a><tt class="py-lineno">269</tt>  <tt class="py-line"><tt class="py-docstring">        NB: The reference implementation encodes almost everything and may over-encode.</tt> </tt>
<a name="L270"></a><tt class="py-lineno">270</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L271"></a><tt class="py-lineno">271</tt>  <tt class="py-line"><tt class="py-docstring">        The difficulty with XPath encoding is that XPath has no built in mechanism for escaping</tt> </tt>
<a name="L272"></a><tt class="py-lineno">272</tt>  <tt class="py-line"><tt class="py-docstring">        characters. It is possible to use XQuery in a parameterized way to</tt> </tt>
<a name="L273"></a><tt class="py-lineno">273</tt>  <tt class="py-line"><tt class="py-docstring">        prevent injection.</tt> </tt>
<a name="L274"></a><tt class="py-lineno">274</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L275"></a><tt class="py-lineno">275</tt>  <tt class="py-line"><tt class="py-docstring">        For more information, refer to U{this article&lt;http://www.ibm.com/developerworks/xml/library/x-xpathinjection.html&gt;}</tt> </tt>
<a name="L276"></a><tt class="py-lineno">276</tt>  <tt class="py-line"><tt class="py-docstring">        which specifies the following list of characters as the most</tt> </tt>
<a name="L277"></a><tt class="py-lineno">277</tt>  <tt class="py-line"><tt class="py-docstring">        dangerous: ^&amp;"*';&lt;&gt;(). U{This paper&lt;http://www.packetstormsecurity.org/papers/bypass/Blind_XPath_Injection_20040518.pdf&gt;}</tt> </tt>
<a name="L278"></a><tt class="py-lineno">278</tt>  <tt class="py-line"><tt class="py-docstring">        suggests disallowing ' and " in queries.</tt> </tt>
<a name="L279"></a><tt class="py-lineno">279</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L280"></a><tt class="py-lineno">280</tt>  <tt class="py-line"><tt class="py-docstring">        @see: U{XPath Injection [ibm.com]&lt;http://www.ibm.com/developerworks/xml/library/x-xpathinjection.html&gt;}</tt> </tt>
<a name="L281"></a><tt class="py-lineno">281</tt>  <tt class="py-line"><tt class="py-docstring">        @see: U{Blind XPath Injection [packetstormsecurity.org]&lt;http://www.packetstormsecurity.org/papers/bypass/Blind_XPath_Injection_20040518.pdf&gt;}</tt> </tt>
<a name="L282"></a><tt class="py-lineno">282</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L283"></a><tt class="py-lineno">283</tt>  <tt class="py-line"><tt class="py-docstring">        @param input_: the text to encode for XPath</tt> </tt>
<a name="L284"></a><tt class="py-lineno">284</tt>  <tt class="py-line"><tt class="py-docstring">        </tt> </tt>
<a name="L285"></a><tt class="py-lineno">285</tt>  <tt class="py-line"><tt class="py-docstring">        @return: input encoded for use in XPath</tt> </tt>
<a name="L286"></a><tt class="py-lineno">286</tt>  <tt class="py-line"><tt class="py-docstring">        """</tt> </tt>
<a name="L287"></a><tt class="py-lineno">287</tt>  <tt class="py-line">        <tt class="py-keyword">raise</tt> <tt class="py-name">NotImplementedError</tt><tt class="py-op">(</tt><tt class="py-op">)</tt> </tt>
</div><a name="L288"></a><tt class="py-lineno">288</tt>  <tt class="py-line"> </tt>
<a name="Encoder.encode_for_xml"></a><div id="Encoder.encode_for_xml-def"><a name="L289"></a><tt class="py-lineno">289</tt> <a class="py-toggle" href="#" id="Encoder.encode_for_xml-toggle" onclick="return toggle('Encoder.encode_for_xml');">-</a><tt class="py-line">    <tt class="py-keyword">def</tt> <a class="py-def-name" href="esapi.encoder.Encoder-class.html#encode_for_xml">encode_for_xml</a><tt class="py-op">(</tt><tt class="py-param">self</tt><tt class="py-op">,</tt> <tt class="py-param">input_</tt><tt class="py-op">)</tt><tt class="py-op">:</tt> </tt>
</div><div id="Encoder.encode_for_xml-collapsed" style="display:none;" pad="+++" indent="++++++++"></div><div id="Encoder.encode_for_xml-expanded"><a name="L290"></a><tt class="py-lineno">290</tt>  <tt class="py-line">        <tt class="py-docstring">"""</tt> </tt>
<a name="L291"></a><tt class="py-lineno">291</tt>  <tt class="py-line"><tt class="py-docstring">        Encode data for use in an XML element. The implementation should follow the </tt> </tt>
<a name="L292"></a><tt class="py-lineno">292</tt>  <tt class="py-line"><tt class="py-docstring">        U{XML Encoding Standard&lt;http://www.w3schools.com/xml/xml_encoding.asp&gt;}</tt> </tt>
<a name="L293"></a><tt class="py-lineno">293</tt>  <tt class="py-line"><tt class="py-docstring">        from the W3C.</tt> </tt>
<a name="L294"></a><tt class="py-lineno">294</tt>  <tt class="py-line"><tt class="py-docstring">        </tt> </tt>
<a name="L295"></a><tt class="py-lineno">295</tt>  <tt class="py-line"><tt class="py-docstring">        The use of a real XML parser is strongly encouraged. However, in the</tt> </tt>
<a name="L296"></a><tt class="py-lineno">296</tt>  <tt class="py-line"><tt class="py-docstring">        hopefully rare case that you need to make sure that data is safe for</tt> </tt>
<a name="L297"></a><tt class="py-lineno">297</tt>  <tt class="py-line"><tt class="py-docstring">        inclusion in an XML document and cannot use a parse, this method provides</tt> </tt>
<a name="L298"></a><tt class="py-lineno">298</tt>  <tt class="py-line"><tt class="py-docstring">        a safe mechanism to do so.</tt> </tt>
<a name="L299"></a><tt class="py-lineno">299</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L300"></a><tt class="py-lineno">300</tt>  <tt class="py-line"><tt class="py-docstring">        @see: U{XML Encoding Standard&lt;http://www.w3schools.com/xml/xml_encoding.asp&gt;}</tt> </tt>
<a name="L301"></a><tt class="py-lineno">301</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L302"></a><tt class="py-lineno">302</tt>  <tt class="py-line"><tt class="py-docstring">        @param input_: the text to encode for XML</tt> </tt>
<a name="L303"></a><tt class="py-lineno">303</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L304"></a><tt class="py-lineno">304</tt>  <tt class="py-line"><tt class="py-docstring">        @return: input encoded for use in XML</tt> </tt>
<a name="L305"></a><tt class="py-lineno">305</tt>  <tt class="py-line"><tt class="py-docstring">        """</tt> </tt>
<a name="L306"></a><tt class="py-lineno">306</tt>  <tt class="py-line">        <tt class="py-keyword">raise</tt> <tt class="py-name">NotImplementedError</tt><tt class="py-op">(</tt><tt class="py-op">)</tt> </tt>
</div><a name="L307"></a><tt class="py-lineno">307</tt>  <tt class="py-line"> </tt>
<a name="Encoder.encode_for_xml_attribute"></a><div id="Encoder.encode_for_xml_attribute-def"><a name="L308"></a><tt class="py-lineno">308</tt> <a class="py-toggle" href="#" id="Encoder.encode_for_xml_attribute-toggle" onclick="return toggle('Encoder.encode_for_xml_attribute');">-</a><tt class="py-line">    <tt class="py-keyword">def</tt> <a class="py-def-name" href="esapi.encoder.Encoder-class.html#encode_for_xml_attribute">encode_for_xml_attribute</a><tt class="py-op">(</tt><tt class="py-param">self</tt><tt class="py-op">,</tt> <tt class="py-param">input_</tt><tt class="py-op">)</tt><tt class="py-op">:</tt> </tt>
</div><div id="Encoder.encode_for_xml_attribute-collapsed" style="display:none;" pad="+++" indent="++++++++"></div><div id="Encoder.encode_for_xml_attribute-expanded"><a name="L309"></a><tt class="py-lineno">309</tt>  <tt class="py-line">        <tt class="py-docstring">"""</tt> </tt>
<a name="L310"></a><tt class="py-lineno">310</tt>  <tt class="py-line"><tt class="py-docstring">        Encode data for use in an XML attribute. The implementation should follow</tt> </tt>
<a name="L311"></a><tt class="py-lineno">311</tt>  <tt class="py-line"><tt class="py-docstring">        the U{XML Encoding Standard&lt;http://www.w3schools.com/xml/xml_encoding.asp&gt;}</tt> </tt>
<a name="L312"></a><tt class="py-lineno">312</tt>  <tt class="py-line"><tt class="py-docstring">        from the W3C.</tt> </tt>
<a name="L313"></a><tt class="py-lineno">313</tt>  <tt class="py-line"><tt class="py-docstring">        </tt> </tt>
<a name="L314"></a><tt class="py-lineno">314</tt>  <tt class="py-line"><tt class="py-docstring">        The use of a real XML parser is highly encouraged. However, in the</tt> </tt>
<a name="L315"></a><tt class="py-lineno">315</tt>  <tt class="py-line"><tt class="py-docstring">        hopefully rare case that you need to make sure that data is safe for</tt> </tt>
<a name="L316"></a><tt class="py-lineno">316</tt>  <tt class="py-line"><tt class="py-docstring">        inclusion in an XML document and cannot use a parse, this method provides</tt> </tt>
<a name="L317"></a><tt class="py-lineno">317</tt>  <tt class="py-line"><tt class="py-docstring">        a safe mechanism to do so.</tt> </tt>
<a name="L318"></a><tt class="py-lineno">318</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L319"></a><tt class="py-lineno">319</tt>  <tt class="py-line"><tt class="py-docstring">        @see: U{XML Encoding Standard&lt;http://www.w3schools.com/xml/xml_encoding.asp&gt;}</tt> </tt>
<a name="L320"></a><tt class="py-lineno">320</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L321"></a><tt class="py-lineno">321</tt>  <tt class="py-line"><tt class="py-docstring">        @param input_: the text to encode for use as an XML attribute</tt> </tt>
<a name="L322"></a><tt class="py-lineno">322</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L323"></a><tt class="py-lineno">323</tt>  <tt class="py-line"><tt class="py-docstring">        @return: input encoded for use in an XML attribute</tt> </tt>
<a name="L324"></a><tt class="py-lineno">324</tt>  <tt class="py-line"><tt class="py-docstring">        """</tt> </tt>
<a name="L325"></a><tt class="py-lineno">325</tt>  <tt class="py-line">        <tt class="py-keyword">raise</tt> <tt class="py-name">NotImplementedError</tt><tt class="py-op">(</tt><tt class="py-op">)</tt> </tt>
</div><a name="L326"></a><tt class="py-lineno">326</tt>  <tt class="py-line"> </tt>
<a name="Encoder.encode_for_url"></a><div id="Encoder.encode_for_url-def"><a name="L327"></a><tt class="py-lineno">327</tt> <a class="py-toggle" href="#" id="Encoder.encode_for_url-toggle" onclick="return toggle('Encoder.encode_for_url');">-</a><tt class="py-line">    <tt class="py-keyword">def</tt> <a class="py-def-name" href="esapi.encoder.Encoder-class.html#encode_for_url">encode_for_url</a><tt class="py-op">(</tt><tt class="py-param">self</tt><tt class="py-op">,</tt> <tt class="py-param">input_</tt><tt class="py-op">)</tt><tt class="py-op">:</tt> </tt>
</div><div id="Encoder.encode_for_url-collapsed" style="display:none;" pad="+++" indent="++++++++"></div><div id="Encoder.encode_for_url-expanded"><a name="L328"></a><tt class="py-lineno">328</tt>  <tt class="py-line">        <tt class="py-docstring">"""</tt> </tt>
<a name="L329"></a><tt class="py-lineno">329</tt>  <tt class="py-line"><tt class="py-docstring">        Encode for use in a URL. This method performs</tt> </tt>
<a name="L330"></a><tt class="py-lineno">330</tt>  <tt class="py-line"><tt class="py-docstring">        U{URL Encoding&lt;http://en.wikipedia.org/wiki/Percent-encoding&gt;}</tt> </tt>
<a name="L331"></a><tt class="py-lineno">331</tt>  <tt class="py-line"><tt class="py-docstring">        on the entire string.</tt> </tt>
<a name="L332"></a><tt class="py-lineno">332</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L333"></a><tt class="py-lineno">333</tt>  <tt class="py-line"><tt class="py-docstring">        @see: U{URL encoding&lt;http://en.wikipedia.org/wiki/Percent-encoding&gt;}</tt> </tt>
<a name="L334"></a><tt class="py-lineno">334</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L335"></a><tt class="py-lineno">335</tt>  <tt class="py-line"><tt class="py-docstring">        @param input_: the text to encode for use in a URL</tt> </tt>
<a name="L336"></a><tt class="py-lineno">336</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L337"></a><tt class="py-lineno">337</tt>  <tt class="py-line"><tt class="py-docstring">        @return: input_ encoded for use in a URL</tt> </tt>
<a name="L338"></a><tt class="py-lineno">338</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L339"></a><tt class="py-lineno">339</tt>  <tt class="py-line"><tt class="py-docstring">        @raises EncodingException: if encoding fails</tt> </tt>
<a name="L340"></a><tt class="py-lineno">340</tt>  <tt class="py-line"><tt class="py-docstring">        """</tt> </tt>
<a name="L341"></a><tt class="py-lineno">341</tt>  <tt class="py-line">        <tt class="py-keyword">raise</tt> <tt class="py-name">NotImplementedError</tt><tt class="py-op">(</tt><tt class="py-op">)</tt> </tt>
</div><a name="L342"></a><tt class="py-lineno">342</tt>  <tt class="py-line"> </tt>
<a name="Encoder.decode_from_url"></a><div id="Encoder.decode_from_url-def"><a name="L343"></a><tt class="py-lineno">343</tt> <a class="py-toggle" href="#" id="Encoder.decode_from_url-toggle" onclick="return toggle('Encoder.decode_from_url');">-</a><tt class="py-line">    <tt class="py-keyword">def</tt> <a class="py-def-name" href="esapi.encoder.Encoder-class.html#decode_from_url">decode_from_url</a><tt class="py-op">(</tt><tt class="py-param">self</tt><tt class="py-op">,</tt> <tt class="py-param">input_</tt><tt class="py-op">)</tt><tt class="py-op">:</tt> </tt>
</div><div id="Encoder.decode_from_url-collapsed" style="display:none;" pad="+++" indent="++++++++"></div><div id="Encoder.decode_from_url-expanded"><a name="L344"></a><tt class="py-lineno">344</tt>  <tt class="py-line">        <tt class="py-docstring">"""</tt> </tt>
<a name="L345"></a><tt class="py-lineno">345</tt>  <tt class="py-line"><tt class="py-docstring">        Decode from URL. Implementations should first canonicalize and</tt> </tt>
<a name="L346"></a><tt class="py-lineno">346</tt>  <tt class="py-line"><tt class="py-docstring">        detect any double-encoding. If this check passes, then the data is decoded using URL</tt> </tt>
<a name="L347"></a><tt class="py-lineno">347</tt>  <tt class="py-line"><tt class="py-docstring">        decoding.</tt> </tt>
<a name="L348"></a><tt class="py-lineno">348</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L349"></a><tt class="py-lineno">349</tt>  <tt class="py-line"><tt class="py-docstring">        @param input_: the text to decode from an encoded URL</tt> </tt>
<a name="L350"></a><tt class="py-lineno">350</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L351"></a><tt class="py-lineno">351</tt>  <tt class="py-line"><tt class="py-docstring">        @return: the decoded URL value</tt> </tt>
<a name="L352"></a><tt class="py-lineno">352</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L353"></a><tt class="py-lineno">353</tt>  <tt class="py-line"><tt class="py-docstring">        @raises EncodingException: if decoding fails</tt> </tt>
<a name="L354"></a><tt class="py-lineno">354</tt>  <tt class="py-line"><tt class="py-docstring">        """</tt> </tt>
<a name="L355"></a><tt class="py-lineno">355</tt>  <tt class="py-line">        <tt class="py-keyword">raise</tt> <tt class="py-name">NotImplementedError</tt><tt class="py-op">(</tt><tt class="py-op">)</tt> </tt>
</div><a name="L356"></a><tt class="py-lineno">356</tt>  <tt class="py-line"> </tt>
<a name="Encoder.encode_for_base64"></a><div id="Encoder.encode_for_base64-def"><a name="L357"></a><tt class="py-lineno">357</tt> <a class="py-toggle" href="#" id="Encoder.encode_for_base64-toggle" onclick="return toggle('Encoder.encode_for_base64');">-</a><tt class="py-line">    <tt class="py-keyword">def</tt> <a class="py-def-name" href="esapi.encoder.Encoder-class.html#encode_for_base64">encode_for_base64</a><tt class="py-op">(</tt><tt class="py-param">self</tt><tt class="py-op">,</tt> <tt class="py-param">input_</tt><tt class="py-op">)</tt><tt class="py-op">:</tt> </tt>
</div><div id="Encoder.encode_for_base64-collapsed" style="display:none;" pad="+++" indent="++++++++"></div><div id="Encoder.encode_for_base64-expanded"><a name="L358"></a><tt class="py-lineno">358</tt>  <tt class="py-line">        <tt class="py-docstring">"""</tt> </tt>
<a name="L359"></a><tt class="py-lineno">359</tt>  <tt class="py-line"><tt class="py-docstring">        Encode for Base64.</tt> </tt>
<a name="L360"></a><tt class="py-lineno">360</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L361"></a><tt class="py-lineno">361</tt>  <tt class="py-line"><tt class="py-docstring">        @param input_: the text to encode for Base64</tt> </tt>
<a name="L362"></a><tt class="py-lineno">362</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L363"></a><tt class="py-lineno">363</tt>  <tt class="py-line"><tt class="py-docstring">        @return: input encoded for Base64</tt> </tt>
<a name="L364"></a><tt class="py-lineno">364</tt>  <tt class="py-line"><tt class="py-docstring">        """</tt> </tt>
<a name="L365"></a><tt class="py-lineno">365</tt>  <tt class="py-line">        <tt class="py-keyword">raise</tt> <tt class="py-name">NotImplementedError</tt><tt class="py-op">(</tt><tt class="py-op">)</tt> </tt>
</div><a name="L366"></a><tt class="py-lineno">366</tt>  <tt class="py-line"> </tt>
<a name="Encoder.decode_from_base64"></a><div id="Encoder.decode_from_base64-def"><a name="L367"></a><tt class="py-lineno">367</tt> <a class="py-toggle" href="#" id="Encoder.decode_from_base64-toggle" onclick="return toggle('Encoder.decode_from_base64');">-</a><tt class="py-line">    <tt class="py-keyword">def</tt> <a class="py-def-name" href="esapi.encoder.Encoder-class.html#decode_from_base64">decode_from_base64</a><tt class="py-op">(</tt><tt class="py-param">self</tt><tt class="py-op">,</tt> <tt class="py-param">input_</tt><tt class="py-op">)</tt><tt class="py-op">:</tt> </tt>
</div><div id="Encoder.decode_from_base64-collapsed" style="display:none;" pad="+++" indent="++++++++"></div><div id="Encoder.decode_from_base64-expanded"><a name="L368"></a><tt class="py-lineno">368</tt>  <tt class="py-line">        <tt class="py-docstring">"""</tt> </tt>
<a name="L369"></a><tt class="py-lineno">369</tt>  <tt class="py-line"><tt class="py-docstring">        Decode data encoded with BASE-64 encoding.</tt> </tt>
<a name="L370"></a><tt class="py-lineno">370</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L371"></a><tt class="py-lineno">371</tt>  <tt class="py-line"><tt class="py-docstring">        @param input_: the Base64 text to decode</tt> </tt>
<a name="L372"></a><tt class="py-lineno">372</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L373"></a><tt class="py-lineno">373</tt>  <tt class="py-line"><tt class="py-docstring">        @return: input decoded from Base64</tt> </tt>
<a name="L374"></a><tt class="py-lineno">374</tt>  <tt class="py-line"><tt class="py-docstring"></tt> </tt>
<a name="L375"></a><tt class="py-lineno">375</tt>  <tt class="py-line"><tt class="py-docstring">        @raises IOException:</tt> </tt>
<a name="L376"></a><tt class="py-lineno">376</tt>  <tt class="py-line"><tt class="py-docstring">        """</tt> </tt>
<a name="L377"></a><tt class="py-lineno">377</tt>  <tt class="py-line">        <tt class="py-keyword">raise</tt> <tt class="py-name">NotImplementedError</tt><tt class="py-op">(</tt><tt class="py-op">)</tt> </tt>
</div></div><a name="L378"></a><tt class="py-lineno">378</tt>  <tt class="py-line"> </tt><script type="text/javascript">
<!--
expandto(location.href);
// -->
</script>
</pre>
<br />
<!-- ==================== NAVIGATION BAR ==================== -->
<table class="navbar" border="0" width="100%" cellpadding="0"
       bgcolor="#a0c0ff" cellspacing="0">
  <tr valign="middle">
  <!-- Home link -->
      <th>&nbsp;&nbsp;&nbsp;<a
        href="esapi-module.html">Home</a>&nbsp;&nbsp;&nbsp;</th>

  <!-- Tree link -->
      <th>&nbsp;&nbsp;&nbsp;<a
        href="module-tree.html">Trees</a>&nbsp;&nbsp;&nbsp;</th>

  <!-- Index link -->
      <th>&nbsp;&nbsp;&nbsp;<a
        href="identifier-index.html">Indices</a>&nbsp;&nbsp;&nbsp;</th>

  <!-- Help link -->
      <th>&nbsp;&nbsp;&nbsp;<a
        href="help.html">Help</a>&nbsp;&nbsp;&nbsp;</th>

      <th class="navbar" width="100%"></th>
  </tr>
</table>
<table border="0" cellpadding="0" cellspacing="0" width="100%%">
  <tr>
    <td align="left" class="footer">
    Generated by Epydoc 3.0.1 on Sun Nov  8 16:04:22 2009
    </td>
    <td align="right" class="footer">
      <a target="mainFrame" href="http://epydoc.sourceforge.net"
        >http://epydoc.sourceforge.net</a>
    </td>
  </tr>
</table>

<script type="text/javascript">
  <!--
  // Private objects are initially displayed (because if
  // javascript is turned off then we want them to be
  // visible); but by default, we want to hide them.  So hide
  // them unless we have a cookie that says to show them.
  checkCookie();
  // -->
</script>
</body>
</html>
